S 5.132 Secure use of WebDAV under Windows Server 2003

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

With the help of Web Distributed Authoring and Versioning (WebDAV), it is possible to make Windows 2000 Server/Windows Server 2003 files available over a HTTP-capable network connection. WebDAV is a better alternative to FTP in Windows Server 2003 because it makes protected authentication of Windows user accounts possible. Some other server applications available also offer a WebDAV interface, for example the Microsoft Exchange Server and Windows SharePoint Services. Suitable WebDAV clients can be found in safeguard S 4.282 Secure configuration of the IIS base components under Windows Server 2003.

The following points at a minimum should be taken into account when planning the use of WebDAV:

• The Internet Information Services (IIS) are needed on the server.
• It is possible using WebDAV shares to edit files located on the server directly on the client (the files are automatically locked in this case), but it is impossible to start executable programmes directly on the server. In general, the client software planned to be used must first be tested for compatibility with WebDAV connections.
  
  How exposed is the WebDAV access (Intranet/Extranet/Internet)? Or is it only used occasionally in the LAN, for example for administrative purposes? These questions influence the security requirements placed on the authentication process (e.g. anonymous, basic authentication via https, Kerberos, etc.) and on the type of user administration. Even the security requirements for the server itself are affected by these questions. The results of analysing these questions may be that WebDAV will be published in the Internet with anonymous access and a high number of visitors is expected. In this case, the entire server would need to be protected using the safeguards for public web servers (see module 5.10 Internet Information Server). One design-related aspect in this case for Windows Server 2003 is that WebDAV must be enabled on the same server providing the desired files. It is impossible to make a distinction between file servers and WebDAV servers in terms of security gateways and DMZ scenarios.
  
  Another result could be that an administrator will occasionally need to quickly download a software image file from a help desk server in the Active Directory domain. In this case, the administrator could create a WebDAV share when needed and assign the WebDAV share to a drive letter using his domain user account (Kerberos authentication). If S 4.282 Secure configuration the IIS base component under Windows Server 2003 has already been implemented, then the additional time and effort required for this is minimal.
• Should the data be encrypted during transmission? The simplest method for ensuring a secure path for end-to-end encryption is to use a secure channel via HTTPS, which is configured in the IIS. Not all WebDAV clients support HTTPS optimally, though. Alternatively, consideration can also be given to using VPN or IPSec, in which case the time and effort required would be proportionally higher than the security benefits obtained. In any case, a method must be selected that can guarantee end-to-end encryption.
• If a secure channel (HTTPS) cannot be used for encryption, then the planned WebDAV clients must at least support digest authentication or the integrated Windows authentication mechanism (NTLMv2 or Kerberos). This also applies when using a VPN instead of HTTPS. The authentication procedure cannot be adequately protected otherwise.
• After a standard installation of Windows Server 2003, the web client service is disabled for security reasons. It is recommended to leave the default setting alone in this case and not use this service on the server. An HTTP/HTTPS browser is adequate for accessing the WebDAV shares if you only want to transfer files for administration purposes. The same requirements apply to the encryption and authentication mechanisms of the HTTP/HTTPS browser as a WebDAV client (most browsers support the authentication mechanisms mentioned in point 4 above).

Use of drive letters and encryption

Windows XP contains a WebDAV redirector that is able to assign a drive letter to a WebDAV share. This can be useful when you need to maintain compatibility with older programmes. However, this assignment does not work over HTTPS connections. If it is necessary to use drive letters and HTTPS, then the use of programmes from third-party providers must be taken into consideration. It is not recommended to use an unencrypted connection via HTTP.

It is also possible to encrypt the data transmission using EFS as an alternative to HTTPS. In this case, the data is encrypted on the client and then transmitted in encrypted form to the server, where it is also stored in encrypted form. This functionality can only be used in Windows 2000/XP and has a file size limit of 60 megabytes. Use of the EFS method is not recommended in normal IT environments since additional risks arise in this case (T 4.54 Loss of protection via the encrypting file system EFS), and additional safeguards may then need to be implemented (S 4.278 Secure use of EFS under Windows Server 2003).

Review questions:

• Is the web client in Windows Server 2003 deactivated if it is not required?
• Does the WebDAV access meets the authentication and encryption policies of the organisation?
• Are the Internet Information Services (IIS) on the WebDAV server configured securely considering the environment they are used in?